Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Scan GraphQL and Issues

Joe | Last updated: Jun 22, 2021 02:18PM UTC

I am attempting to get Issues from each Scan in Burp via Python but am running into errors: query2 = """{query: scan(id : $id){ id, } }""" variables = {"id": "201"} r2 = requests.post(url, proxies=proxies, json={'query': query2, 'variables': variables}, verify=False, headers={"Authorization":userinfo["api_token"]}) This results in the following error: {"errors":[{"message":"Validation error of type UndefinedVariable: Undefined variable id @ \u0027scan\u0027","extensions":{"code":77}}]} What am I missing?

Uthman, PortSwigger Agent | Last updated: Jun 22, 2021 02:37PM UTC

Hi Joe, A similar post you raised has been answered here: - https://forum.portswigger.net/thread/graphql-e1192e397f9101b2d664aabbc43b Can you double-check if that answers your question?

Joe | Last updated: Jun 22, 2021 03:16PM UTC

No, this does not answer my question. The other post was my attempt yesterday at getting a list of all scans. Today's problem is getting a specific scan and getting the issues from it. I've attempted to add "issues" to the query but that does not seem to help: query2 = """{query: scan(id: $id){ id, issues } }""" This query results in the following error: {"errors":[{"message":"Validation error of type UndefinedVariable: Undefined variable id @ \u0027scan\u0027","extensions":{"code":77}},{"message":"Validation error of type MissingFieldArgument: Missing field argument start @ \u0027scan/issues\u0027","extensions":{"code":77}},{"message":"Validation error of type MissingFieldArgument: Missing field argument count @ \u0027scan/issues\u0027","extensions":{"code":77}},{"message":"Validation error of type SubSelectionRequired: Sub selection required for type null of field issues @ \u0027scan/issues\u0027","extensions":{"code":77}}]}

Uthman, PortSwigger Agent | Last updated: Jun 22, 2021 03:24PM UTC

Thanks for clarifying! Can you try this? query GetScanIssues { scan(id: 158) { id issues(start: 0, count: 1000) { issue_type { name description_html remediation_html } } } } I would suggest using an API client to test this before passing it to your Python program. The errors are telling you that the 'start' and 'count' fields are missing in your query and you need to add a subselection for 'issues'.

Joe | Last updated: Jun 22, 2021 03:37PM UTC

Unfortunately, I do not have access to an API client in the environment I'm working within. I attempted this: query2 = """{query: scan(id: 201){ id, issues(start:0, count: 1000){ name description_html remediation_html } } }""" It results in the following error: {"errors":[{"message":"Validation error of type FieldUndefined: Field \u0027name\u0027 in type \u0027Issue\u0027 is undefined @ \u0027scan/issues/name\u0027","extensions":{"code":77}}]}

Joe | Last updated: Jun 22, 2021 05:20PM UTC

"name" doesn't work because it's not available in issue. I used serial_number instead. Why does the argument I pass via the "variables" not work? I plan for the $id to be dynamic based on the list of scans I obtained yesterday.

Uthman, PortSwigger Agent | Last updated: Jun 23, 2021 07:26AM UTC

'name' is a field under issue_type (https://portswigger.net/burp/extensibility/enterprise/graphql-api/IssueType.html) and not issues. Can you try this, please? query2 = """{query: scan(id: 201){ id, issues(start:0, count: 1000){ issue_type { name description_html remediation_html } } } }"""

Joe | Last updated: Jun 23, 2021 01:21PM UTC

Thank you. I've integrated issue_type into the code with name.

Uthman, PortSwigger Agent | Last updated: Jun 23, 2021 01:37PM UTC